前言
对于操作系统的信息搜集有什么作用?提权、深入测试、域渗透、留后门······
有一位大师傅曾经说过:内网渗透的本质是信息搜集。
看了许多内网信息收集的文章,所用到的收集信息的命令大都是相同的。既然如此,写一个简单的脚本省去一些重复操作。
Windows
常用命令
whoami/echo %USERNAME% # 当前用户
ipconfig # IP 信息
net user # 用户列表
systeminfo # 查看系统信息
wmic qfe get HotFixID # 纯补丁信息
set # 查看环境变量
netsh firewall show state # 查看防火墙状态
net localgroup # 查看用户组
net localgroup administrators # 查看本机管理员
net config workstation # 查看当前计算机名,全名,用户名,系统版本,工作 站域,登陆域
netstat -ano # 查看端口
tasklist # 查看所有进程
net start # 查看已启动的服务
net share # 查看共享列表
net user /domain # 获取域内用户信息
net view /domain # 查询域
net group /domain # 查询域内所有用户
net group "domain computers" /domain # 查询所有域成员计算机
net accounts /domain # 获取域密码信息
net group "Domain admins" /domain # 收集管理员列表
net group "Domain Controller" /domain # 查询域控制器列表
Nslookup -type=SRV _ldap._tcp # 查看域控制器的主机
可能存在敏感文件
C:Apacheconfhttpd.conf
C:Apachelogsaccess.log
C:Apachelogserror.log
C:Apache2confhttpd.conf
C:Apache2logsaccess.log
C:Apache2logserror.log
C:Apache22confhttpd.conf
C:Apache22logsaccess.log
C:Apache22logserror.log
C:Apache24confhttpd.conf
C:Apache24logsaccess.log
C:Apache24logserror.log
C:Documents and SettingsAdministratorNTUser.dat
C:phpphp.ini
C:php4php.ini
C:php5php.ini
C:php7php.ini
C:Program Files (x86)Apache GroupApacheconfhttpd.conf
C:Program Files (x86)Apache GroupApachelogsaccess.log
C:Program Files (x86)Apache GroupApachelogserror.log
C:Program Files (x86)Apache GroupApache2confhttpd.conf
C:Program Files (x86)Apache GroupApache2logsaccess.log
C:Program Files (x86)Apache GroupApache2logserror.log
c:Program Files (x86)phpphp.ini"
C:Program FilesApache GroupApacheconfhttpd.conf
C:Program FilesApache GroupApacheconflogsaccess.log
C:Program FilesApache GroupApacheconflogserror.log
C:Program FilesApache GroupApache2confhttpd.conf
C:Program FilesApache GroupApache2conflogsaccess.log
C:Program FilesApache GroupApache2conflogserror.log
C:Program FilesFileZilla ServerFileZilla Server.xml
C:Program FilesMySQLmy.cnf
C:Program FilesMySQLmy.ini
C:Program FilesMySQLMySQL Server 5.0my.cnf
C:Program FilesMySQLMySQL Server 5.0my.ini
C:Program FilesMySQLMySQL Server 5.1my.cnf
C:Program FilesMySQLMySQL Server 5.1my.ini
C:Program FilesMySQLMySQL Server 5.5my.cnf
C:Program FilesMySQLMySQL Server 5.5my.ini
C:Program FilesMySQLMySQL Server 5.6my.cnf
C:Program FilesMySQLMySQL Server 5.6my.ini
C:Program FilesMySQLMySQL Server 5.7my.cnf
C:Program FilesMySQLMySQL Server 5.7my.ini
C:Program Filesphpphp.ini
C:UsersAdministratorNTUser.dat
C:WindowsdebugNetSetup.LOG
C:WindowsPantherUnattendUnattended.xml
C:WindowsPantherUnattended.xml
C:Windowsphp.ini
C:Windows
epairSAM
C:Windows
epairsystem
C:WindowsSystem32configAppEvent.evt
C:WindowsSystem32configRegBackSAM
C:WindowsSystem32configRegBacksystem
C:WindowsSystem32configSAM
C:WindowsSystem32configSecEvent.evt
C:WindowsSystem32configSysEvent.evt
C:WindowsSystem32configSYSTEM
C:WindowsSystem32driversetchosts
C:WindowsSystem32winevtLogsApplication.evtx
C:WindowsSystem32winevtLogsSecurity.evtx
C:WindowsSystem32winevtLogsSystem.evtx
C:Windowswin.ini
C:xamppapacheconfextrahttpd-xampp.conf
C:xamppapacheconfhttpd.conf
C:xamppapachelogsaccess.log
C:xamppapachelogserror.log
C:xamppFileZillaFTPFileZilla Server.xml
C:xamppMercuryMailMERCURY.INI
C:xamppmysqlinmy.ini
C:xamppphpphp.ini
C:xamppsecuritywebdav.htpasswd
C:xamppsendmailsendmail.ini
C:xampp omcatconfserver.xml
Linux
常用命令
whoami # 用户名
id # 用户 id
cat /etc/shadow #获取用户 hash,需要 root 权限
cat /etc/issue # 查看系统名称
cat /etc/lsb-release # 查看系统名称、版本号
uname -a # 查看所有信息
ps aux # 查看所有进程详细信息
top # 查看进程
ifconfig/ip addr # 查看 IP
cat /etc/serivices # 查看存在的服务
history # 查看历史命令
cat ~/.bash_history # 所有历史命令
dpkg -l # 查看安装的软件包
lastlog # 查看用户登录日志
cat /etc/group # 查看用户组
grep -v -E "^#" /etc/passwd | awk -F: '$3==0{print $1}' # 列出超级用户
env # 查看环境变量
last # 历史登陆用户
可能存在的敏感文件
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
简易脚本
# -s 指定操作系统 Linux/Windos
# -d 指定是否存在域,不清楚可省略 0/1 0表示无,1表示有
import subprocess
import argparse
cmds = [{
'whoami': '当前用户',
'ipconfig': 'IP 信息',
'net user': '用户列表',
'systeminfo': '查看系统信息',
'wmic qfe get HotFixID': '补丁信息',
'set': '环境变量',
'netsh firewall show state': '防火墙状态',
'net localgroup': '所有用户组',
'net localgroup administrators': '管理员组成员',
'net config workstation': '当前计算机名、全名、用户名、系统版本、工作站域、登陆域'
}, {
'netstat -ano': '端口信息',
'tasklist': '所有进程',
'net start': '已启动服务',
'net share': '共享列表',
}, {
'net view /domain': '查询域结果',
'net user /domain': '域内用户信息',
'net group /domain': '域内所有用户组',
'net group "domain computers" /domain': '所有域成员计算机',
'net accounts /domain': '域密码信息',
'net group "Domain admins" /domain': '域管理员列表',
'net group "Domain Controller" /domain': '查询域控制器列表',
'nslookup -type=SRV _ldap._tcp': '域控制器的主机',
}]
bashs = [
{
'whoami': '用户名',
'id': '用户 id',
'cat /etc/issue': '查看系统名称',
'cat /etc/lsb-release': '系统名称、版本号',
'uname -a': '内核信息',
'ip addr': 'IP',
'cat ~/.bash_history': '历史命令',
'grep -v -E "^#" /etc/passwd | awk -F: "$3==0{print $1}"': '超级用户',
'env': '环境变量',
'lastlog': '用户登录日志',
'last': '历史登陆用户',
'cat /etc/group': '查看用户组',
},
{
'dpkg -l': '查看安装的软件包',
'cat /etc/serivices': '存在的服务',
'pa aux': '所有进程详细信息',
},
{
'cat /etc/shadow': '用户 hash',
}
]
win = '''C:\Apache\conf\httpd.conf
C:\Apache\logs\access.log
C:\Apache\logs\error.log
C:\Apache2\conf\httpd.conf
C:\Apache2\logs\access.log
C:\Apache2\logs\error.log
C:\Apache22\conf\httpd.conf
C:\Apache22\logs\access.log
C:\Apache22\logs\error.log
C:\Apache24\conf\httpd.conf
C:\Apache24\logs\access.log
C:\Apache24\logs\error.log
C:\Documents and Settings\Administrator\NTUser.dat
C:\php\php.ini
C:\php4\php.ini
C:\php5\php.ini
C:\php7\php.ini
C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache\logs\access.log
C:\Program Files (x86)\Apache Group\Apache\logs\error.log
C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
c:\Program Files (x86)\php\php.ini
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache\conf\logs\access.log
C:\Program Files\Apache Group\Apache\conf\logs\error.log
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\logs\access.log
C:\Program Files\Apache Group\Apache2\conf\logs\error.log
C:\Program Files\FileZilla Server\FileZilla Server.xml
C:\Program Files\MySQL\my.cnf
C:\Program Files\MySQL\my.ini
C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
C:\Program Files\MySQL\MySQL Server 5.0\my.ini
C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
C:\Program Files\MySQL\MySQL Server 5.1\my.ini
C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
C:\Program Files\MySQL\MySQL Server 5.5\my.ini
C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
C:\Program Files\MySQL\MySQL Server 5.6\my.ini
C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
C:\Program Files\MySQL\MySQL Server 5.7\my.ini
C:\Program Files\php\php.ini
C:\Users\Administrator\NTUser.dat
C:\Windows\debug\NetSetup.LOG
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\php.ini
C:\Windows\repair\SAM
C:\Windows\repair\system
C:\Windows\System32\config\AppEvent.evt
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\system
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SecEvent.evt
C:\Windows\System32\config\SysEvent.evt
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\winevt\Logs\Application.evtx
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\System.evtx
C:\Windows\win.ini
C:\xampp\apache\conf\extra\httpd-xampp.conf
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\FileZillaFTP\FileZilla Server.xml
C:\xampp\MercuryMail\MERCURY.INI
C:\xampp\mysql\bin\my.ini
C:\xampp\php\php.ini
C:\xampp\security\webdav.htpasswd
C:\xampp\sendmail\sendmail.ini
C:\xampp\tomcat\conf\server.xml'''
lin = """/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/auth.log
/var/log/chttp.log
/var/log/cups/error_log
/var/log/dpkg.log
/var/log/faillog
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/messages
/var/log/secure
/var/log/syslog
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/run/utmp
/var/webmin/miniserv.log
/var/www/logs/access_log
/var/www/logs/access.log"""
Win_files = win.split('
')
Lin_files = lin.split('
')
def getInfo(system, key):
if system == "Windows":
exes = cmds
if key == '0':
exes.pop()
print(exes)
files = Win_files
else:
exes = bashs
files = Lin_files
all = ''
for commands in exes:
for k, v in commands.items():
try:
res = subprocess.Popen(k, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding="utf-8")
res = v + ":
" + res.stdout.read() + "-------******-------
"
print(res)
all += res
except:
res = subprocess.Popen(k, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding="gbk")
res = v + ":
" + res.stdout.read() + "-------******-------
"
print(res)
all += res
all += '存在的敏感文件有:
'
print('存在的敏感文件有:(Linux 下由于权限问题扫描可能会不准确!请复测!!)
')
for file in files:
try:
with open(file, 'r'):
all += (file + '
')
print(file + '
')
except:
pass
with open('result.txt', 'a+') as f:
f.write(all)
print("
Everything is Done!")
print('执行的命令有:')
for command in exes:
for k, v in command.items():
print(k)
def main():
parser = argparse.ArgumentParser(description='InfoScan')
parser.add_argument("-s", "--system", help="指定操作系统", default='Windows')
parser.add_argument("-d", "--domain", help="是否存在域,不确定可以不用加", default=0)
args = parser.parse_args()
system = args.system
key = args.domain
getInfo(system, key)
if __name__ == '__main__':
main()